def precomp(GV):
nb, n3, n = lbits()
P = GV.copy()
A = P.copy()
MP = -P
T = []
for i in range(nb - 2, 0, -1):
AA, BB, CC = dbl(A)
T.append(pack(AA, BB, CC))
if big.bit(n3, i) == 1 and big.bit(n, i) == 0:
AA, BB, CC = add(A, P)
T.append(pack(AA, BB, CC))
if big.bit(n3, i) == 0 and big.bit(n, i) == 1:
AA, BB, CC = add(A, MP)
T.append(pack(AA, BB, CC))
if curve.PairingFriendly == BN:
KA = P.copy()
KA.frobenius()
if curve.SignOfX == NEGATIVEX:
A = -A
AA, BB, CC = add(A, KA)
T.append(pack(AA, BB, CC))
KA.frobenius()
KA = -KA
AA, BB, CC = add(A, KA)
T.append(pack(AA, BB, CC))
return T
def mul(P, a, Q, b): # double multiplication a*P+b*Q
# P.affine()
# Q.affine()
if a < 0:
a = -a
P = -P
if b < 0:
b = -b
Q = -Q
R = ECp()
ia = a.bit_length()
ib = b.bit_length()
k = ia
if (ib > ia):
k = ib
k = curve.r.bit_length()
W = P.copy()
W.add(Q)
# W.affine()
for i in range(k - 1, -1, -1):
R.dbl()
if (big.bit(a, i) == 1):
if (big.bit(b, i) == 1):
R.add(W)
else:
R.add(P)
else:
if (big.bit(b, i) == 1):
R.add(Q)
return R
def another_pc(r, T, QV):
if QV.isinf():
return
nb, n3, n = lbits()
Q = QV.copy()
Q.affine()
Qx, Qy = Q.getxy()
j = 0
for i in range(nb - 2, 0, -1):
lv = unpack(T[j], Qx, Qy)
j += 1
if big.bit(n3, i) == 1 and big.bit(n, i) == 0:
lv2 = unpack(T[j], Qx, Qy)
j += 1
lv.smul(lv2)
if big.bit(n3, i) == 0 and big.bit(n, i) == 1:
lv2 = unpack(T[j], Qx, Qy)
j += 1
lv.smul(lv2)
r[i] *= lv
if curve.PairingFriendly == BN:
lv = unpack(T[j], Qx, Qy)
j += 1
lv2 = unpack(T[j], Qx, Qy)
lv.smul(lv2)
r[0] *= lv
def another(r, P1, Q1):
if Q1.isinf():
return
nb, n3, n = lbits()
P = P1.copy()
Q = Q1.copy()
P.affine()
Q.affine()
A = P.copy()
Qx, Qy = Q.getxy()
for i in range(nb - 2, 0, -1):
lv = g(A, A, Qx, Qy)
if big.bit(n3, i) == 1 and big.bit(n, i) == 0:
lv2 = g(A, P, Qx, Qy)
lv.smul(lv2)
if big.bit(n3, i) == 0 and big.bit(n, i) == 1:
lv2 = g(A, -P, Qx, Qy)
lv.smul(lv2)
r[i] *= lv
if curve.PairingFriendly == BN:
KA = P.copy()
KA.frobenius()
if curve.SignOfX == NEGATIVEX:
A = -A
lv = g(A, KA, Qx, Qy)
KA.frobenius()
KA = -KA
lv2 = g(A, KA, Qx, Qy)
lv.smul(lv2)
r[0] *= lv
def another(r,P1,Q1) :
nb,n3,n=lbits()
P = P1.copy()
Q = Q1.copy()
P.affine()
Q.affine()
A = P.copy()
Qx, Qy = Q.getxy()
for i in range(nb - 2, 0, -1):
lv=g(A, A, Qx, Qy)
if big.bit(n3, i) == 1 and big.bit(n, i) == 0:
lv2 = g(A, P, Qx, Qy)
lv.smul(lv2)
if big.bit(n3, i) == 0 and big.bit(n, i) == 1:
lv2 = g(A, -P, Qx, Qy)
lv.smul(lv2)
r[i] *= lv
if curve.PairingFriendly == BN:
KA = P.copy()
KA.frobenius()
if curve.SignOfX == NEGATIVEX:
A = -A
lv = g(A, KA, Qx, Qy)
KA.frobenius()
KA = -KA
lv2 = g(A, KA, Qx, Qy)
lv.smul(lv2)
r[0] *= lv
def mul(P, a, Q, b): # double multiplication a*P+b*Q
# P.affine()
# Q.affine()
if a < 0:
a = -a
P = -P
if b < 0:
b = -b
Q = -Q
R = ECp()
ia = a.bit_length()
ib = b.bit_length()
k = ia
if (ib > ia):
k = ib
k = curve.r.bit_length()
W = P.copy()
W.add(Q)
# W.affine()
for i in range(k - 1, -1, -1):
R.dbl()
if (big.bit(a, i) == 1):
if (big.bit(b, i) == 1):
R.add(W)
else:
R.add(P)
else:
if (big.bit(b, i) == 1):
R.add(Q)
return R
def double_miller(P, Q, U, V):
x = curve.x
if curve.PairingFriendly == BN:
n = 6 * x
if curve.SignOfX == POSITIVEX:
n += 2
else:
n -= 2
else:
n = x
n3 = 3 * n
P.norm()
A = P.copy()
Qx, Qy = Q.getxy()
U.norm()
B = U.copy()
Wx, Wy = V.getxy()
nb = n3.bit_length()
r = Fp12.one()
# miller loop
for i in range(nb - 2, 0, -1):
r.sqr()
r *= g(A, A, Qx, Qy)
r *= g(B, B, Wx, Wy)
if big.bit(n3, i) == 1 and big.bit(n, i) == 0:
r *= g(A, P, Qx, Qy)
r *= g(B, U, Wx, Wy)
if big.bit(n3, i) == 0 and big.bit(n, i) == 1:
r *= g(A, -P, Qx, Qy)
r *= g(B, -U, Wx, Wy)
# adjustment
if curve.SignOfX == NEGATIVEX:
r.conj()
if curve.PairingFriendly == BN:
KA = P.copy()
KA.frobenius()
if curve.SignOfX == NEGATIVEX:
A = -A
B = -B
r *= g(A, KA, Qx, Qy)
KA.frobenius()
KA = -KA
r *= g(A, KA, Qx, Qy)
KB = U.copy()
KB.frobenius()
r *= g(B, KB, Wx, Wy)
KB.frobenius()
KB = -KB
r *= g(B, KB, Wx, Wy)
return r
def __rmul__(self, other): # use NAF b = other b3 = 3 * b self.norm() mself = -self R = ECp2() for i in range(b3.bit_length() - 1, 0, -1): R.dbl() if big.bit(b3, i) == 1 and big.bit(b, i) == 0: R.add(self) if big.bit(b3, i) == 0 and big.bit(b, i) == 1: R.add(mself) return R
def __rmul__(self, other): # use NAF
b = other
b3 = 3 * b
k = b3.bit_length()
#k = curve.r.bit_length()+2
# self.affine()
mself = -self
R = ECp2()
for i in range(k - 1, 0, -1):
R.dbl()
if big.bit(b3, i) == 1 and big.bit(b, i) == 0:
R.add(self)
if big.bit(b3, i) == 0 and big.bit(b, i) == 1:
R.add(mself)
return R
def getxs(self): # return tuple integer x and LSB of y
if self.isinf():
return (0, 0)
self.norm()
if curve.CurveType == MONTGOMERY:
return (self.x.int(), 0)
return (self.x.int(), big.bit(self.y.int(), 0))
def pow(self, other): # unitary only
e = other
e3 = e * 3
k = e3.bit_length()
x = self.copy()
r = self.copy()
for i in range(k - 2, 0, -1):
r.usqr()
if big.bit(e3, i) == 1 and big.bit(e, i) == 0:
r *= x
if big.bit(e3, i) == 0 and big.bit(e, i) == 1:
x.conj()
r *= x
x.conj()
return r
def miller(P1, Q1):
x = curve.x
if curve.PairingFriendly == BN:
n = 6 * x
if curve.SignOfX == POSITIVEX:
n += 2
else:
n -= 2
else:
n = x
n3 = 3 * n
P = P1.copy()
Q = Q1.copy()
P.affine()
Q.affine()
A = P.copy()
Qx, Qy = Q.getxy()
nb = n3.bit_length()
r = Fp12.one()
# miller loop
for i in range(nb - 2, 0, -1):
r.sqr()
r *= g(A, A, Qx, Qy)
if big.bit(n3, i) == 1 and big.bit(n, i) == 0:
r *= g(A, P, Qx, Qy)
if big.bit(n3, i) == 0 and big.bit(n, i) == 1:
r *= g(A, -P, Qx, Qy)
# adjustment
if curve.SignOfX == NEGATIVEX:
r.conj()
if curve.PairingFriendly == BN:
KA = P.copy()
KA.frobenius()
if curve.SignOfX == NEGATIVEX:
A = -A
r *= g(A, KA, Qx, Qy)
KA.frobenius()
KA = -KA
r *= g(A, KA, Qx, Qy)
return r
def getxs(self): # return tuple integer x and LSB of y
W = self.copy()
if W.isinf():
return (0, 0)
W.affine()
if curve.CurveType == MONTGOMERY:
return (W.x.int(), 0)
return (W.x.int(), big.bit(W.y.int(), 0))
def getxs(self): # return tuple integer x and LSB of y
W = self.copy()
if W.isinf():
return (0, 0)
W.affine()
if curve.CurveType == MONTGOMERY:
return (W.x.int(), 0)
return (W.x.int(), big.bit(W.y.int(), 0))
def ate(P1, Q1):
if Q1.isinf():
return Fp12.one()
nb, n3, n = lbits()
P = P1.copy()
Q = Q1.copy()
P.affine()
Q.affine()
A = P.copy()
Qx, Qy = Q.getxy()
r = Fp12.one()
# miller loop
for i in range(nb - 2, 0, -1):
r.sqr()
lv = g(A, A, Qx, Qy)
if big.bit(n3, i) == 1 and big.bit(n, i) == 0:
lv2 = g(A, P, Qx, Qy)
lv.smul(lv2)
if big.bit(n3, i) == 0 and big.bit(n, i) == 1:
lv2 = g(A, -P, Qx, Qy)
lv.smul(lv2)
r *= lv
# adjustment
if curve.SignOfX == NEGATIVEX:
r.conj()
if curve.PairingFriendly == BN:
KA = P.copy()
KA.frobenius()
if curve.SignOfX == NEGATIVEX:
A = -A
lv = g(A, KA, Qx, Qy)
KA.frobenius()
KA = -KA
lv2 = g(A, KA, Qx, Qy)
lv.smul(lv2)
r *= lv
return r
def __rmul__(self, other): # use NAF
R = ECp()
if curve.CurveType == MONTGOMERY:
e = other
D = ECp()
R0 = self.copy()
R1 = self.copy()
R1.dbl()
D = self.copy()
D.affine()
nb = e.bit_length()
# nb=curve.r.bit_length()
for i in range(nb - 2, -1, -1):
b = big.bit(e, i)
R = R1.copy()
R.dadd(R0, D)
if b == 1:
R0, R1 = R1, R0
R1 = R.copy()
R0.dbl()
if b == 1:
R0, R1 = R1, R0
R = R0.copy()
else:
b = other
b3 = 3 * b
k = b3.bit_length()
# k=curve.r.bit_length()+2;
mself = -self
for i in range(k - 1, 0, -1):
R.dbl()
if big.bit(b3, i) == 1 and big.bit(b, i) == 0:
R.add(self)
if big.bit(b3, i) == 0 and big.bit(b, i) == 1:
R.add(mself)
R.affine()
return R
def __rmul__(self, other): # use NAF
R = ECp()
if curve.CurveType == MONTGOMERY:
e = other
D = ECp()
R0 = self.copy()
R1 = self.copy()
R1.dbl()
D = self.copy()
D.affine()
nb = e.bit_length()
#nb=curve.r.bit_length()
for i in range(nb - 2, -1, -1):
b = big.bit(e, i)
R = R1.copy()
R.dadd(R0, D)
if b == 1:
R0, R1 = R1, R0
R1 = R.copy()
R0.dbl()
if b == 1:
R0, R1 = R1, R0
R = R0.copy()
else:
b = other
b3 = 3 * b
k = b3.bit_length()
#k=curve.r.bit_length()+2;
mself = -self
for i in range(k - 1, 0, -1):
R.dbl()
if big.bit(b3, i) == 1 and big.bit(b, i) == 0:
R.add(self)
if big.bit(b3, i) == 0 and big.bit(b, i) == 1:
R.add(mself)
R.affine()
return R
def ate(P1, Q1):
nb,n3,n=lbits()
P = P1.copy()
Q = Q1.copy()
P.affine()
Q.affine()
A = P.copy()
Qx, Qy = Q.getxy()
r = Fp12.one()
# miller loop
for i in range(nb - 2, 0, -1):
r.sqr()
lv=g(A, A, Qx, Qy)
if big.bit(n3, i) == 1 and big.bit(n, i) == 0:
lv2 = g(A, P, Qx, Qy)
lv.smul(lv2)
if big.bit(n3, i) == 0 and big.bit(n, i) == 1:
lv2 = g(A, -P, Qx, Qy)
lv.smul(lv2)
r *= lv
# adjustment
if curve.SignOfX == NEGATIVEX:
r.conj()
if curve.PairingFriendly == BN:
KA = P.copy()
KA.frobenius()
if curve.SignOfX == NEGATIVEX:
A = -A
lv = g(A, KA, Qx, Qy)
KA.frobenius()
KA = -KA
lv2 = g(A, KA, Qx, Qy)
lv.smul(lv2)
r *= lv
return r
def set(self, x, s=0): # set point from x and LSB of y
mx = Fp(x)
rhs = RHS(mx)
if rhs.qr() != 1:
return False
self.x = mx
self.z = Fp(1)
if curve.CurveType != MONTGOMERY:
self.y = rhs.sqrt()
if big.bit(self.y.int(), 0) != s:
self.y = -self.y
return True
def set(self, x, s=0): # set point from x and LSB of y
mx = Fp(x)
rhs = RHS(mx)
if rhs.jacobi() != 1:
return False
self.x = mx
self.z = Fp(1)
if curve.CurveType != MONTGOMERY:
self.y = rhs.sqrt()
if big.bit(self.y.int(), 0) != s:
self.y = -self.y
return True
def double_ate(P1, Q1, U1, V1):
if Q1.isinf():
return ate(U1, V1)
if V1.isinf():
return ate(P1, Q1)
nb, n3, n = lbits()
P = P1.copy()
Q = Q1.copy()
U = U1.copy()
V = V1.copy()
P.affine()
Q.affine()
U.affine()
V.affine()
A = P.copy()
Qx, Qy = Q.getxy()
B = U.copy()
Wx, Wy = V.getxy()
r = Fp12.one()
# miller loop
for i in range(nb - 2, 0, -1):
r.sqr()
lv = g(A, A, Qx, Qy)
lv2 = g(B, B, Wx, Wy)
lv.smul(lv2)
r *= lv
#r *= g(A, A, Qx, Qy)
#r *= g(B, B, Wx, Wy)
if big.bit(n3, i) == 1 and big.bit(n, i) == 0:
lv = g(A, P, Qx, Qy)
lv2 = g(B, U, Wx, Wy)
lv.smul(lv2)
r *= lv
if big.bit(n3, i) == 0 and big.bit(n, i) == 1:
lv = g(A, -P, Qx, Qy)
lv2 = g(B, -U, Wx, Wy)
lv.smul(lv2)
r *= lv
# adjustment
if curve.SignOfX == NEGATIVEX:
r.conj()
if curve.PairingFriendly == BN:
KA = P.copy()
KA.frobenius()
if curve.SignOfX == NEGATIVEX:
A = -A
B = -B
lv = g(A, KA, Qx, Qy)
KA.frobenius()
KA = -KA
lv2 = g(A, KA, Qx, Qy)
lv.smul(lv2)
r *= lv
KB = U.copy()
KB.frobenius()
lv = g(B, KB, Wx, Wy)
KB.frobenius()
KB = -KB
lv2 = g(B, KB, Wx, Wy)
lv.smul(lv2)
r *= lv
return r
def double_ate(P1, Q1, U1, V1):
nb,n3,n=lbits()
P = P1.copy()
Q = Q1.copy()
U = U1.copy()
V = V1.copy()
P.affine()
Q.affine()
U.affine()
V.affine()
A = P.copy()
Qx, Qy = Q.getxy()
B = U.copy()
Wx, Wy = V.getxy()
r = Fp12.one()
# miller loop
for i in range(nb - 2, 0, -1):
r.sqr()
lv = g(A, A, Qx, Qy)
lv2 = g(B, B, Wx, Wy)
lv.smul(lv2)
r *= lv
#r *= g(A, A, Qx, Qy)
#r *= g(B, B, Wx, Wy)
if big.bit(n3, i) == 1 and big.bit(n, i) == 0:
lv = g(A, P, Qx, Qy)
lv2 = g(B, U, Wx, Wy)
lv.smul(lv2)
r *= lv
if big.bit(n3, i) == 0 and big.bit(n, i) == 1:
lv = g(A, -P, Qx, Qy)
lv2 = g(B, -U, Wx, Wy)
lv.smul(lv2)
r *= lv
# adjustment
if curve.SignOfX == NEGATIVEX:
r.conj()
if curve.PairingFriendly == BN:
KA = P.copy()
KA.frobenius()
if curve.SignOfX == NEGATIVEX:
A = -A
B = -B
lv = g(A, KA, Qx, Qy)
KA.frobenius()
KA = -KA
lv2 = g(A, KA, Qx, Qy)
lv.smul(lv2)
r *= lv
KB = U.copy()
KB.frobenius()
lv = g(B, KB, Wx, Wy)
KB.frobenius()
KB = -KB
lv2 = g(B, KB, Wx, Wy)
lv.smul(lv2)
r *= lv
return r
